Follow:

You have been re-routed to the Virus:DOS/Rovnix.F write up because Trojan%3aDOS%2fRovnix.F has been renamed to Virus:DOS/Rovnix.F
 

Virus:DOS/Rovnix.F


Microsoft security software detects and removes this threat.

This trojan downloads other malware onto your computer.

It is installed by TrojanDropper:Win32/Rovnix.I.



What to do now

If you suspect you have been infected with this threat, we recommend you use Windows Defender Offline.

Windows Defender Offline is a standalone tool that has the latest antivirus updates from Microsoft.

It is not a replacement for a full antivirus solution that provides ongoing protection. It is meant to be used in situations where you cannot start or scan your computer because it is infected with malware that prevents antivirus products from working normally.

Before you begin you will need:

  • A computer that is not infected and is connected to the Internet. You will use this computer to download a copy of Windows Defender Offline
  • A blank CD, DVD or USB drive (also known as a USB key or thumb drive). You will use this CD, DVD or USB drive to run the tool on your infected computer

Follow these steps to use Windows Defender Offline:

  1. Use an uninfected computer to download a copy of the tool from here: Windows Defender Offline

    In order for the recovery tool to be effective, make sure you download the version that matches the your infected computer. For example, your desktop computer has been infected with malware. The computer is running a 64-bit version of Windows. Your friend's laptop, however, is not infected, and so you use that to download Windows Defender Offline. Your friend's laptop is running a 32-bit version of Windows, so when you download the tool, you choose the 64-bit version, because that is the version that matches your computer.

  2. Install the tool on a blank CD, DVD, or USB drive
  3. Insert the CD, DVD, or USB drive into your infected computer and run the tool
  4. Let the tool clean your computer and remove any infections it finds

After running the tool, ensure that your antivirus product is up-to-date. You can update Microsoft security products by downloading the latest definitions at this link: Get the latest definitions. You can use the Microsoft Safety Scanner if you suspect you are infected but are unable to confirm this with your existing antivirus software.

For detailed instructions on using Windows Defender Offline, see the Microsoft Security Blog post Microsoft's Free Security Tools - Windows Defender Offline.

Run the Bootrec.exe tool

To completely remove this threat you might need to run the Bootrec.exe tool using your Windows installation CD.

For Windows 8:

  1. Put your Windows 8 media in the DVD drive and restart your PC.
  2. Select a language, time and currency, and keyboard or input method, and then click Next.
  3. Click Repair your computer.
  4. Click Troubleshoot, then Advanced options.
  5. Click Command Prompt and then type Bootrec /FixBoot and then presss Enter.
  6. Type Exit and the press Enter.
  7. At the Choose an Option screen click Continue.
  8. Remove the Windows 8 CD from your DVD drive and restart your PC.

For Windows 7:

  1. Put your Windows 7 media in the DVD drive and restart your PC
  2. Press any key when you are prompted.
  3. Select a language, time and currency, and keyboard or input method, and then click Next.
  4. Click Repair your computer.
  5. Select the operating system that you want to repair, and then click Next.
  6. In the SystemRecovery Options dialog box, click Command Prompt.
  7. Type Bootrec.exe /fixboot, and then press Enter.
  8. Remove the Windows 7 CD from your DVD drive and restart your PC.

Threat behavior

Installation

Trojan:DOS/Rovnix.F may be installed by TrojanDropper:Win32/Rovnix.I.

Trojan:DOS/Rovnix.F is a detection for a malicious volume boot record (VBR). It tries to tamper with some Windows kernel data to load its own malicious driver. This trick may bypass the diver signature enforcement on a 64-bit system.

To hide itself, the trojan intercepts the hard disk I/O (input / output) operation. It restores the original clean copy of the VBR if it is accessed during the operation.

Payload

Installs other malware

The malicious driver injects other malware components into explorer.exe.

These components contact the domain youtubeflashserver.com to download other malware.

Analysis by Chun Feng


Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.

Prevention


Alert level: Severe
This entry was first published on: Jul 11, 2013
This entry was updated on: Feb 17, 2014

This threat is also detected as:
No known aliases